]>
git.saurik.com Git - apple/xnu.git/blob - bsd/security/audit/audit_bsm.c
2 * Copyright (c) 1999-2016 Apple Inc.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
14 * its contributors may be used to endorse or promote products derived
15 * from this software without specific prior written permission.
17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 * POSSIBILITY OF SUCH DAMAGE.
30 * NOTICE: This file was modified by SPARTA, Inc. in 2005 to introduce
31 * support for mandatory and extensible security protections. This notice
32 * is included in support of clause 2.2 (b) of the Apple Public License,
36 #include <sys/types.h>
37 #include <sys/vnode_internal.h>
40 #include <sys/socketvar.h>
41 #include <sys/socket.h>
42 #include <sys/queue.h>
43 #include <sys/fcntl.h>
47 #include <bsm/audit.h>
48 #include <bsm/audit_internal.h>
49 #include <bsm/audit_record.h>
50 #include <bsm/audit_kevents.h>
52 #include <security/audit/audit.h>
53 #include <security/audit/audit_bsd.h>
54 #include <security/audit/audit_private.h>
56 #include <netinet/in_systm.h>
57 #include <netinet/in.h>
58 #include <netinet/ip.h>
61 MALLOC_DEFINE(M_AUDITBSM
, "audit_bsm", "Audit BSM data");
64 #include <security/mac_framework.h>
67 static void audit_sys_auditon(struct audit_record
*ar
,
68 struct au_record
*rec
);
69 static void audit_sys_fcntl(struct kaudit_record
*kar
,
70 struct au_record
*rec
);
73 * Initialize the BSM auditing subsystem.
83 * This call reserves memory for the audit record. Memory must be guaranteed
84 * before any auditable event can be generated. The au_record structure
85 * maintains a reference to the memory allocated above and also the list of
86 * tokens associated with this record.
88 static struct au_record
*
91 struct au_record
*rec
;
93 rec
= malloc(sizeof(*rec
), M_AUDITBSM
, M_WAITOK
);
95 TAILQ_INIT(&rec
->token_q
);
103 * Store the token with the record descriptor.
106 kau_write(struct au_record
*rec
, struct au_token
*tok
)
109 KASSERT(tok
!= NULL
, ("kau_write: tok == NULL"));
111 TAILQ_INSERT_TAIL(&rec
->token_q
, tok
, tokens
);
112 rec
->len
+= tok
->len
;
116 * Close out the audit record by adding the header token, identifying any
117 * missing tokens. Write out the tokens to the record memory.
120 kau_close(struct au_record
*rec
, struct timespec
*ctime
, short event
)
124 token_t
*cur
, *hdr
, *trail
;
127 struct auditinfo_addr ak
;
130 audit_get_kinfo(&ak
);
132 switch (ak
.ai_termid
.at_type
) {
134 hdrsize
= (ak
.ai_termid
.at_addr
[0] == INADDR_ANY
) ?
135 AUDIT_HEADER_SIZE
: AUDIT_HEADER_EX_SIZE(&ak
);
138 ap
= (struct in6_addr
*)&ak
.ai_termid
.at_addr
[0];
139 hdrsize
= (IN6_IS_ADDR_UNSPECIFIED(ap
)) ? AUDIT_HEADER_SIZE
:
140 AUDIT_HEADER_EX_SIZE(&ak
);
143 panic("kau_close: invalid address family");
145 tot_rec_size
= rec
->len
+ AUDIT_HEADER_SIZE
+ AUDIT_TRAILER_SIZE
;
146 rec
->data
= malloc(tot_rec_size
, M_AUDITBSM
, M_WAITOK
| M_ZERO
);
148 tm
.tv_usec
= ctime
->tv_nsec
/ 1000;
149 tm
.tv_sec
= ctime
->tv_sec
;
150 if (hdrsize
!= AUDIT_HEADER_SIZE
)
151 hdr
= au_to_header32_ex_tm(tot_rec_size
, event
, 0, tm
, &ak
);
153 hdr
= au_to_header32_tm(tot_rec_size
, event
, 0, tm
);
154 TAILQ_INSERT_HEAD(&rec
->token_q
, hdr
, tokens
);
156 trail
= au_to_trailer(tot_rec_size
);
157 TAILQ_INSERT_TAIL(&rec
->token_q
, trail
, tokens
);
159 rec
->len
= tot_rec_size
;
161 TAILQ_FOREACH(cur
, &rec
->token_q
, tokens
) {
162 memcpy(dptr
, cur
->t_data
, cur
->len
);
168 * Free a BSM audit record by releasing all the tokens and clearing the audit
169 * record information.
172 kau_free(struct au_record
*rec
)
174 struct au_token
*tok
;
176 /* Free the token list. */
177 while ((tok
= TAILQ_FIRST(&rec
->token_q
))) {
178 TAILQ_REMOVE(&rec
->token_q
, tok
, tokens
);
179 free(tok
->t_data
, M_AUDITBSM
);
180 free(tok
, M_AUDITBSM
);
185 free(rec
->data
, M_AUDITBSM
);
186 free(rec
, M_AUDITBSM
);
190 * XXX: May want turn some (or all) of these macros into functions in order
191 * to reduce the generated code size.
193 * XXXAUDIT: These macros assume that 'kar', 'ar', 'rec', and 'tok' in the
194 * caller are OK with this.
197 #define MAC_VNODE1_LABEL_TOKEN do { \
198 if (ar->ar_vnode1_mac_labels != NULL && \
199 strlen(ar->ar_vnode1_mac_labels) != 0) { \
200 tok = au_to_text(ar->ar_vnode1_mac_labels); \
201 kau_write(rec, tok); \
205 #define MAC_VNODE2_LABEL_TOKEN do { \
206 if (ar->ar_vnode2_mac_labels != NULL && \
207 strlen(ar->ar_vnode2_mac_labels) != 0) { \
208 tok = au_to_text(ar->ar_vnode2_mac_labels); \
209 kau_write(rec, tok); \
213 #define MAC_VNODE1_LABEL_TOKEN
214 #define MAC_VNODE2_LABEL_TOKEN
216 #define UPATH1_TOKENS do { \
217 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \
218 tok = au_to_path(ar->ar_arg_upath1); \
219 kau_write(rec, tok); \
223 #define UPATH2_TOKENS do { \
224 if (ARG_IS_VALID(kar, ARG_UPATH2)) { \
225 tok = au_to_path(ar->ar_arg_upath2); \
226 kau_write(rec, tok); \
230 #define VNODE1_TOKENS do { \
231 if (ARG_IS_VALID(kar, ARG_KPATH1)) { \
232 tok = au_to_path(ar->ar_arg_kpath1); \
233 kau_write(rec, tok); \
235 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \
236 tok = au_to_attr32(&ar->ar_arg_vnode1); \
237 kau_write(rec, tok); \
238 MAC_VNODE1_LABEL_TOKEN; \
242 #define UPATH1_VNODE1_TOKENS do { \
243 if (ARG_IS_VALID(kar, ARG_UPATH1)) { \
244 tok = au_to_path(ar->ar_arg_upath1); \
245 kau_write(rec, tok); \
247 if (ARG_IS_VALID(kar, ARG_KPATH1)) { \
248 tok = au_to_path(ar->ar_arg_kpath1); \
249 kau_write(rec, tok); \
251 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \
252 tok = au_to_attr32(&ar->ar_arg_vnode1); \
253 kau_write(rec, tok); \
254 MAC_VNODE1_LABEL_TOKEN; \
258 #define VNODE2_TOKENS do { \
259 if (ARG_IS_VALID(kar, ARG_VNODE2)) { \
260 tok = au_to_attr32(&ar->ar_arg_vnode2); \
261 kau_write(rec, tok); \
262 MAC_VNODE2_LABEL_TOKEN; \
266 #define FD_VNODE1_TOKENS do { \
267 if (ARG_IS_VALID(kar, ARG_VNODE1)) { \
268 if (ARG_IS_VALID(kar, ARG_KPATH1)) { \
269 tok = au_to_path(ar->ar_arg_kpath1); \
270 kau_write(rec, tok); \
272 if (ARG_IS_VALID(kar, ARG_FD)) { \
273 tok = au_to_arg32(1, "fd", ar->ar_arg_fd); \
274 kau_write(rec, tok); \
275 MAC_VNODE1_LABEL_TOKEN; \
277 tok = au_to_attr32(&ar->ar_arg_vnode1); \
278 kau_write(rec, tok); \
280 if (ARG_IS_VALID(kar, ARG_FD)) { \
281 tok = au_to_arg32(1, "fd", \
283 kau_write(rec, tok); \
284 MAC_VNODE1_LABEL_TOKEN; \
289 #define PROCESS_PID_TOKENS(argn) do { \
290 if ((ar->ar_arg_pid > 0) /* Reference a single process */ \
291 && (ARG_IS_VALID(kar, ARG_PROCESS))) { \
292 tok = au_to_process32_ex(ar->ar_arg_auid, \
293 ar->ar_arg_euid, ar->ar_arg_egid, \
294 ar->ar_arg_ruid, ar->ar_arg_rgid, \
295 ar->ar_arg_pid, ar->ar_arg_asid, \
296 &ar->ar_arg_termid_addr); \
297 kau_write(rec, tok); \
298 } else if (ARG_IS_VALID(kar, ARG_PID)) { \
299 tok = au_to_arg32(argn, "process", ar->ar_arg_pid); \
300 kau_write(rec, tok); \
304 #define EXTATTR_TOKENS do { \
305 if (ARG_IS_VALID(kar, ARG_VALUE32)) { \
306 switch (ar->ar_arg_value32) { \
307 case EXTATTR_NAMESPACE_USER: \
308 tok = au_to_text(EXTATTR_NAMESPACE_USER_STRING);\
310 case EXTATTR_NAMESPACE_SYSTEM: \
311 tok = au_to_text(EXTATTR_NAMESPACE_SYSTEM_STRING);\
314 tok = au_to_arg32(3, "attrnamespace", \
315 ar->ar_arg_value32); \
318 kau_write(rec, tok); \
320 /* attrname is in the text field */ \
321 if (ARG_IS_VALID(kar, ARG_TEXT)) { \
322 tok = au_to_text(ar->ar_arg_text); \
323 kau_write(rec, tok); \
327 #define EXTENDED_TOKENS(n) do { \
329 if (ARG_IS_VALID(kar, ARG_OPAQUE)) { \
330 tok = au_to_opaque(ar->ar_arg_opaque, \
331 ar->ar_arg_opq_size); \
332 kau_write(rec, tok); \
334 if (ARG_IS_VALID(kar, ARG_MODE)) { \
335 tok = au_to_arg32(n+2, "mode", ar->ar_arg_mode);\
336 kau_write(rec, tok); \
338 if (ARG_IS_VALID(kar, ARG_GID)) { \
339 tok = au_to_arg32(n+1, "gid", ar->ar_arg_gid); \
340 kau_write(rec, tok); \
342 if (ARG_IS_VALID(kar, ARG_UID)) { \
343 tok = au_to_arg32(n, "uid", ar->ar_arg_uid); \
344 kau_write(rec, tok); \
348 #define PROCESS_MAC_TOKENS do { \
349 if (ar->ar_valid_arg & ARG_MAC_STRING) { \
350 tok = au_to_text(ar->ar_arg_mac_string); \
351 kau_write(rec, tok); \
356 * Implement auditing for the auditon() system call. The audit tokens that
357 * are generated depend on the command that was sent into the auditon()
361 audit_sys_auditon(struct audit_record
*ar
, struct au_record
*rec
)
363 struct au_token
*tok
;
365 switch (ar
->ar_arg_cmd
) {
367 if (ar
->ar_arg_len
> sizeof(int)) {
368 tok
= au_to_arg32(3, "length", ar
->ar_arg_len
);
370 tok
= au_to_arg64(2, "policy",
371 ar
->ar_arg_auditon
.au_policy64
);
377 tok
= au_to_arg32(3, "length", ar
->ar_arg_len
);
379 tok
= au_to_arg32(2, "policy", ar
->ar_arg_auditon
.au_policy
);
384 tok
= au_to_arg32(3, "length", ar
->ar_arg_len
);
386 tok
= au_to_arg32(2, "setkmask:as_success",
387 ar
->ar_arg_auditon
.au_mask
.am_success
);
389 tok
= au_to_arg32(2, "setkmask:as_failure",
390 ar
->ar_arg_auditon
.au_mask
.am_failure
);
395 if (ar
->ar_arg_len
> sizeof(au_qctrl_t
)) {
396 tok
= au_to_arg32(3, "length", ar
->ar_arg_len
);
398 tok
= au_to_arg64(2, "setqctrl:aq_hiwater",
399 ar
->ar_arg_auditon
.au_qctrl64
.aq64_hiwater
);
401 tok
= au_to_arg64(2, "setqctrl:aq_lowater",
402 ar
->ar_arg_auditon
.au_qctrl64
.aq64_lowater
);
404 tok
= au_to_arg64(2, "setqctrl:aq_bufsz",
405 ar
->ar_arg_auditon
.au_qctrl64
.aq64_bufsz
);
407 tok
= au_to_arg64(2, "setqctrl:aq_delay",
408 ar
->ar_arg_auditon
.au_qctrl64
.aq64_delay
);
410 tok
= au_to_arg32(2, "setqctrl:aq_minfree",
411 ar
->ar_arg_auditon
.au_qctrl64
.aq64_minfree
);
417 tok
= au_to_arg32(3, "length", ar
->ar_arg_len
);
419 tok
= au_to_arg32(2, "setqctrl:aq_hiwater",
420 ar
->ar_arg_auditon
.au_qctrl
.aq_hiwater
);
422 tok
= au_to_arg32(2, "setqctrl:aq_lowater",
423 ar
->ar_arg_auditon
.au_qctrl
.aq_lowater
);
425 tok
= au_to_arg32(2, "setqctrl:aq_bufsz",
426 ar
->ar_arg_auditon
.au_qctrl
.aq_bufsz
);
428 tok
= au_to_arg32(2, "setqctrl:aq_delay",
429 ar
->ar_arg_auditon
.au_qctrl
.aq_delay
);
431 tok
= au_to_arg32(2, "setqctrl:aq_minfree",
432 ar
->ar_arg_auditon
.au_qctrl
.aq_minfree
);
437 tok
= au_to_arg32(3, "length", ar
->ar_arg_len
);
439 tok
= au_to_arg32(2, "setumask:as_success",
440 ar
->ar_arg_auditon
.au_auinfo
.ai_mask
.am_success
);
442 tok
= au_to_arg32(2, "setumask:as_failure",
443 ar
->ar_arg_auditon
.au_auinfo
.ai_mask
.am_failure
);
448 tok
= au_to_arg32(3, "length", ar
->ar_arg_len
);
450 tok
= au_to_arg32(2, "setsmask:as_success",
451 ar
->ar_arg_auditon
.au_auinfo
.ai_mask
.am_success
);
453 tok
= au_to_arg32(2, "setsmask:as_failure",
454 ar
->ar_arg_auditon
.au_auinfo
.ai_mask
.am_failure
);
459 if (ar
->ar_arg_len
> sizeof(int)) {
460 tok
= au_to_arg32(3, "length", ar
->ar_arg_len
);
462 tok
= au_to_arg64(2, "setcond",
463 ar
->ar_arg_auditon
.au_cond64
);
469 tok
= au_to_arg32(3, "length", ar
->ar_arg_len
);
471 tok
= au_to_arg32(2, "setcond", ar
->ar_arg_auditon
.au_cond
);
476 tok
= au_to_arg32(3, "length", ar
->ar_arg_len
);
478 tok
= au_to_arg32(2, "setclass:ec_event",
479 ar
->ar_arg_auditon
.au_evclass
.ec_number
);
481 tok
= au_to_arg32(3, "setclass:ec_class",
482 ar
->ar_arg_auditon
.au_evclass
.ec_class
);
487 tok
= au_to_arg32(3, "length", ar
->ar_arg_len
);
489 tok
= au_to_arg32(2, "setpmask:as_success",
490 ar
->ar_arg_auditon
.au_aupinfo
.ap_mask
.am_success
);
492 tok
= au_to_arg32(2, "setpmask:as_failure",
493 ar
->ar_arg_auditon
.au_aupinfo
.ap_mask
.am_failure
);
498 tok
= au_to_arg32(3, "length", ar
->ar_arg_len
);
500 tok
= au_to_arg32(2, "setfsize:filesize",
501 ar
->ar_arg_auditon
.au_fstat
.af_filesz
);
508 tok
= au_to_arg32(1, "cmd", ar
->ar_arg_cmd
);
513 * Implement auditing for the fcntl() system call. The audit tokens that
514 * are generated depend on the command that was sent into the fcntl()
518 audit_sys_fcntl(struct kaudit_record
*kar
, struct au_record
*rec
)
520 struct au_token
*tok
;
521 struct audit_record
*ar
= &kar
->k_ar
;
523 switch (ar
->ar_arg_cmd
) {
526 if (ARG_IS_VALID(kar
, ARG_VALUE32
)) {
527 tok
= au_to_arg32(3, "min fd", ar
->ar_arg_value32
);
533 if (ARG_IS_VALID(kar
, ARG_VALUE32
)) {
534 tok
= au_to_arg32(3, "close-on-exec flag",
541 if (ARG_IS_VALID(kar
, ARG_VALUE32
)) {
542 tok
= au_to_arg32(3, "fd flags", ar
->ar_arg_value32
);
548 if (ARG_IS_VALID(kar
, ARG_VALUE32
)) {
549 tok
= au_to_arg32(3, "pid", ar
->ar_arg_value32
);
556 if (ARG_IS_VALID(kar
, ARG_VALUE64
)) {
557 tok
= au_to_arg64(3, "offset", ar
->ar_arg_value64
);
561 #endif /* F_SETSIZE */
563 #ifdef F_PATHPKG_CHECK
564 case F_PATHPKG_CHECK
:
565 if (ARG_IS_VALID(kar
, ARG_TEXT
)) {
566 tok
= au_to_text(ar
->ar_arg_text
);
575 tok
= au_to_arg32(2, "cmd", au_fcntl_cmd_to_bsm(ar
->ar_arg_cmd
));
580 * Convert an internal kernel audit record to a BSM record and return a
581 * success/failure indicator. The BSM record is passed as an out parameter to
585 * BSM_SUCCESS: The BSM record is valid
586 * BSM_FAILURE: Failure; the BSM record is NULL.
587 * BSM_NOAUDIT: The event is not auditable for BSM; the BSM record is NULL.
590 kaudit_to_bsm(struct kaudit_record
*kar
, struct au_record
**pau
)
592 struct au_token
*tok
= NULL
, *subj_tok
;
593 struct au_record
*rec
;
595 struct audit_record
*ar
;
599 KASSERT(kar
!= NULL
, ("kaudit_to_bsm: kar == NULL"));
606 * Create the subject token.
608 switch (ar
->ar_subj_term_addr
.at_type
) {
610 tid
.port
= ar
->ar_subj_term_addr
.at_port
;
611 tid
.machine
= ar
->ar_subj_term_addr
.at_addr
[0];
612 subj_tok
= au_to_subject32(ar
->ar_subj_auid
, /* audit ID */
613 ar
->ar_subj_cred
.cr_uid
, /* eff uid */
614 ar
->ar_subj_egid
, /* eff group id */
615 ar
->ar_subj_ruid
, /* real uid */
616 ar
->ar_subj_rgid
, /* real group id */
617 ar
->ar_subj_pid
, /* process id */
618 ar
->ar_subj_asid
, /* session ID */
622 subj_tok
= au_to_subject32_ex(ar
->ar_subj_auid
,
623 ar
->ar_subj_cred
.cr_uid
,
629 &ar
->ar_subj_term_addr
);
632 bzero(&tid
, sizeof(tid
));
633 subj_tok
= au_to_subject32(ar
->ar_subj_auid
,
634 ar
->ar_subj_cred
.cr_uid
,
644 * The logic inside each case fills in the tokens required for the
645 * event, except for the header, trailer, and return tokens. The
646 * header and trailer tokens are added by the kau_close() function.
647 * The return token is added outside of the switch statement.
649 switch(ar
->ar_event
) {
651 /* For sendfile the file and socket descriptor are both saved */
652 if (ARG_IS_VALID(kar
, ARG_VALUE32
)) {
653 tok
= au_to_arg32(2, "sd", ar
->ar_arg_value32
);
666 * Socket-related events.
668 if (ARG_IS_VALID(kar
, ARG_FD
)) {
669 tok
= au_to_arg32(1, "fd", ar
->ar_arg_fd
);
672 if (ARG_IS_VALID(kar
, ARG_SADDRINET
)) {
673 tok
= au_to_sock_inet((struct sockaddr_in
*)
674 &ar
->ar_arg_sockaddr
);
677 if (ARG_IS_VALID(kar
, ARG_SADDRUNIX
)) {
678 tok
= au_to_sock_unix((struct sockaddr_un
*)
679 &ar
->ar_arg_sockaddr
);
683 if (ARG_IS_VALID(kar
, ARG_SADDRINET6
)) {
684 tok
= au_to_sock_inet128((struct sockaddr_in6
*)
685 &ar
->ar_arg_sockaddr
);
692 if (ARG_IS_VALID(kar
, ARG_SOCKINFO
)) {
693 tok
= au_to_arg32(1,"domain",
694 au_domain_to_bsm(ar
->ar_arg_sockinfo
.sai_domain
));
696 tok
= au_to_arg32(2,"type",
697 au_socket_type_to_bsm(ar
->ar_arg_sockinfo
.sai_type
));
699 tok
= au_to_arg32(3,"protocol",
700 ar
->ar_arg_sockinfo
.sai_protocol
);
707 if (ARG_IS_VALID(kar
, ARG_FD
)) {
708 tok
= au_to_arg32(1, "fd", ar
->ar_arg_fd
);
714 if (ARG_IS_VALID(kar
, (ARG_KPATH1
| ARG_UPATH1
))) {
715 UPATH1_VNODE1_TOKENS
;
717 tok
= au_to_arg32(1, "accounting off", 0);
723 if (ARG_IS_VALID(kar
, ARG_AUID
)) {
724 tok
= au_to_arg32(2, "setauid", ar
->ar_arg_auid
);
730 if (ARG_IS_VALID(kar
, ARG_AUID
) &&
731 ARG_IS_VALID(kar
, ARG_ASID
) &&
732 ARG_IS_VALID(kar
, ARG_AMASK
) &&
733 ARG_IS_VALID(kar
, ARG_TERMID
)) {
734 tok
= au_to_arg32(1, "setaudit:auid",
737 tok
= au_to_arg32(1, "setaudit:port",
738 ar
->ar_arg_termid
.port
);
740 tok
= au_to_arg32(1, "setaudit:machine",
741 ar
->ar_arg_termid
.machine
);
743 tok
= au_to_arg32(1, "setaudit:as_success",
744 ar
->ar_arg_amask
.am_success
);
746 tok
= au_to_arg32(1, "setaudit:as_failure",
747 ar
->ar_arg_amask
.am_failure
);
749 tok
= au_to_arg32(1, "setaudit:asid",
755 case AUE_SETAUDIT_ADDR
:
756 if (ARG_IS_VALID(kar
, ARG_AUID
) &&
757 ARG_IS_VALID(kar
, ARG_ASID
) &&
758 ARG_IS_VALID(kar
, ARG_AMASK
) &&
759 ARG_IS_VALID(kar
, ARG_TERMID_ADDR
)) {
760 tok
= au_to_arg32(1, "setaudit_addr:auid",
763 tok
= au_to_arg32(1, "setaudit_addr:as_success",
764 ar
->ar_arg_amask
.am_success
);
766 tok
= au_to_arg32(1, "setaudit_addr:as_failure",
767 ar
->ar_arg_amask
.am_failure
);
769 tok
= au_to_arg32(1, "setaudit_addr:asid",
772 tok
= au_to_arg32(1, "setaudit_addr:type",
773 ar
->ar_arg_termid_addr
.at_type
);
775 tok
= au_to_arg32(1, "setaudit_addr:port",
776 ar
->ar_arg_termid_addr
.at_port
);
778 if (ar
->ar_arg_termid_addr
.at_type
== AU_IPv6
)
779 tok
= au_to_in_addr_ex((struct in6_addr
*)
780 &ar
->ar_arg_termid_addr
.at_addr
[0]);
781 if (ar
->ar_arg_termid_addr
.at_type
== AU_IPv4
)
782 tok
= au_to_in_addr((struct in_addr
*)
783 &ar
->ar_arg_termid_addr
.at_addr
[0]);
790 * For AUDITON commands without own event, audit the cmd.
792 if (ARG_IS_VALID(kar
, ARG_CMD
)) {
793 tok
= au_to_arg32(1, "cmd", ar
->ar_arg_cmd
);
798 case AUE_AUDITON_GETCAR
:
799 case AUE_AUDITON_GETCLASS
:
800 case AUE_AUDITON_GETCOND
:
801 case AUE_AUDITON_GETCWD
:
802 case AUE_AUDITON_GETKMASK
:
803 case AUE_AUDITON_GETSTAT
:
804 case AUE_AUDITON_GPOLICY
:
805 case AUE_AUDITON_GQCTRL
:
806 case AUE_AUDITON_SETCLASS
:
807 case AUE_AUDITON_SETCOND
:
808 case AUE_AUDITON_SETKMASK
:
809 case AUE_AUDITON_SETSMASK
:
810 case AUE_AUDITON_SETSTAT
:
811 case AUE_AUDITON_SETUMASK
:
812 case AUE_AUDITON_SPOLICY
:
813 case AUE_AUDITON_SQCTRL
:
814 if (ARG_IS_VALID(kar
, ARG_AUDITON
))
815 audit_sys_auditon(ar
, rec
);
819 UPATH1_VNODE1_TOKENS
;
823 if (ARG_IS_VALID(kar
, ARG_EXIT
)) {
824 tok
= au_to_exit(ar
->ar_arg_exitretval
,
825 ar
->ar_arg_exitstatus
);
834 case AUE_GETAUDIT_ADDR
:
840 /* XXXss replace with kext */
844 case AUE_MAC_GETFSSTAT
:
852 case AUE_SETTIMEOFDAY
:
853 case AUE_KDEBUGTRACE
:
854 case AUE_PTHREADSIGMASK
:
856 * Header, subject, and return tokens added at end.
861 if (ARG_IS_VALID(kar
, ARG_MODE
)) {
862 tok
= au_to_arg32(2, "mode", ar
->ar_arg_mode
);
865 UPATH1_VNODE1_TOKENS
;
868 case AUE_ACCESS_EXTENDED
:
870 * The access_extended() argument vector is stored in an
873 if (ARG_IS_VALID(kar
, ARG_OPAQUE
)) {
874 tok
= au_to_opaque(ar
->ar_arg_opaque
,
875 ar
->ar_arg_opq_size
);
879 * The access_extended() result vector is stored in an arbitrary
882 if (ARG_IS_VALID(kar
, ARG_DATA
)) {
883 tok
= au_to_data(AUP_DECIMAL
, ar
->ar_arg_data_type
,
884 ar
->ar_arg_data_count
, ar
->ar_arg_data
);
887 UPATH1_VNODE1_TOKENS
;
890 case AUE_LSTAT_EXTENDED
:
891 case AUE_STAT_EXTENDED
:
895 case AUE_GETATTRLIST
:
903 case AUE_SETATTRLIST
:
910 UPATH1_VNODE1_TOKENS
;
917 if (ARG_IS_VALID(kar
, ARG_FFLAGS
)) {
918 tok
= au_to_arg32(2, "flags", ar
->ar_arg_fflags
);
921 UPATH1_VNODE1_TOKENS
;
925 if (ARG_IS_VALID(kar
, ARG_MODE
)) {
926 tok
= au_to_arg32(2, "new file mode",
930 UPATH1_VNODE1_TOKENS
;
935 if (ARG_IS_VALID(kar
, ARG_UID
)) {
936 tok
= au_to_arg32(2, "new file uid", ar
->ar_arg_uid
);
939 if (ARG_IS_VALID(kar
, ARG_GID
)) {
940 tok
= au_to_arg32(3, "new file gid", ar
->ar_arg_gid
);
943 UPATH1_VNODE1_TOKENS
;
946 case AUE_EXCHANGEDATA
:
947 UPATH1_VNODE1_TOKENS
;
952 if (ARG_IS_VALID(kar
, ARG_FD
)) {
953 tok
= au_to_arg32(2, "fd", ar
->ar_arg_fd
);
956 UPATH1_VNODE1_TOKENS
;
960 if (ARG_IS_VALID(kar
, ARG_SIGNUM
)) {
961 tok
= au_to_arg32(0, "signal", ar
->ar_arg_signum
);
964 UPATH1_VNODE1_TOKENS
;
967 case AUE_POSIX_SPAWN
:
968 if (ARG_IS_VALID(kar
, ARG_PID
)) {
969 tok
= au_to_arg32(0, "child PID", ar
->ar_arg_pid
);
975 if (ARG_IS_VALID(kar
, ARG_ARGV
)) {
976 tok
= au_to_exec_args(ar
->ar_arg_argv
,
980 if (ARG_IS_VALID(kar
, ARG_ENVV
)) {
981 tok
= au_to_exec_env(ar
->ar_arg_envv
,
985 UPATH1_VNODE1_TOKENS
;
988 case AUE_FCHMOD_EXTENDED
:
994 if (ARG_IS_VALID(kar
, ARG_MODE
)) {
995 tok
= au_to_arg32(2, "new file mode",
1003 tok
= au_to_arg32(1, "request", ar
->ar_arg_cmd
);
1004 kau_write(rec
, tok
);
1005 if (ar
->ar_valid_arg
& (ARG_KPATH1
| ARG_UPATH1
)) {
1006 UPATH1_VNODE1_TOKENS
;
1011 * XXXRW: Some of these need to handle non-vnode cases as well.
1013 case AUE_FSTAT_EXTENDED
:
1016 case AUE_FSTAT
: /* XXX Need to handle sockets and shm */
1021 case AUE_GETDIRENTRIES
:
1022 case AUE_GETDIRENTRIESATTR
:
1023 case AUE_GETATTRLISTBULK
:
1024 #if 0 /* XXXss new */
1037 if (ARG_IS_VALID(kar
, ARG_UID
)) {
1038 tok
= au_to_arg32(2, "new file uid", ar
->ar_arg_uid
);
1039 kau_write(rec
, tok
);
1041 if (ARG_IS_VALID(kar
, ARG_GID
)) {
1042 tok
= au_to_arg32(3, "new file gid", ar
->ar_arg_gid
);
1043 kau_write(rec
, tok
);
1049 if (ARG_IS_VALID(kar
, ARG_CMD
))
1050 audit_sys_fcntl(kar
, rec
);
1055 if (ARG_IS_VALID(kar
, ARG_VALUE32
)) {
1056 tok
= au_to_arg32(4, "options", ar
->ar_arg_value32
);
1057 kau_write(rec
, tok
);
1059 if (ARG_IS_VALID(kar
, ARG_CMD
)) {
1060 tok
= au_to_arg32(2, "cmd", ar
->ar_arg_cmd
);
1061 kau_write(rec
, tok
);
1063 UPATH1_VNODE1_TOKENS
;
1067 if (ARG_IS_VALID(kar
, ARG_VALUE32
)) {
1068 tok
= au_to_arg32(4, "options", ar
->ar_arg_value32
);
1069 kau_write(rec
, tok
);
1071 if (ARG_IS_VALID(kar
, ARG_CMD
)) {
1072 tok
= au_to_arg32(2, "cmd", ar
->ar_arg_cmd
);
1073 kau_write(rec
, tok
);
1080 if (ARG_IS_VALID(kar
, ARG_FFLAGS
)) {
1081 tok
= au_to_arg32(2, "flags", ar
->ar_arg_fflags
);
1082 kau_write(rec
, tok
);
1088 if (ARG_IS_VALID(kar
, ARG_CMD
)) {
1089 tok
= au_to_arg32(2, "operation", ar
->ar_arg_cmd
);
1090 kau_write(rec
, tok
);
1097 if (ARG_IS_VALID(kar
, ARG_PID
)) {
1098 tok
= au_to_arg32(0, "child PID", ar
->ar_arg_pid
);
1099 kau_write(rec
, tok
);
1104 if (ARG_IS_VALID(kar
, ARG_PID
)) {
1105 tok
= au_to_arg32(1, "pid", (u_int32_t
)ar
->ar_arg_pid
);
1106 kau_write(rec
, tok
);
1111 if (ARG_IS_VALID(kar
, ARG_PID
)) {
1112 tok
= au_to_arg32(1, "pid", (u_int32_t
)ar
->ar_arg_pid
);
1113 kau_write(rec
, tok
);
1115 if (ARG_IS_VALID(kar
, ARG_VALUE32
)) {
1116 tok
= au_to_arg32(2, "lcid",
1117 (u_int32_t
)ar
->ar_arg_value32
);
1118 kau_write(rec
, tok
);
1123 if (ARG_IS_VALID(kar
, ARG_CMD
)) {
1124 tok
= au_to_arg32(2, "cmd", ar
->ar_arg_cmd
);
1125 kau_write(rec
, tok
);
1127 if (ARG_IS_VALID(kar
, ARG_VALUE64
)) {
1128 tok
= au_to_arg64(2, "cmd", ar
->ar_arg_value64
);
1129 kau_write(rec
, tok
);
1131 if (ARG_IS_VALID(kar
, ARG_ADDR64
)) {
1132 tok
= au_to_arg64(3, "arg", ar
->ar_arg_addr
);
1133 kau_write(rec
, tok
);
1134 } else if (ARG_IS_VALID(kar
, ARG_ADDR32
)) {
1135 tok
= au_to_arg32(3, "arg",
1136 (u_int32_t
)ar
->ar_arg_addr
);
1137 kau_write(rec
, tok
);
1139 if (ARG_IS_VALID(kar
, ARG_VNODE1
))
1142 if (ARG_IS_VALID(kar
, ARG_SOCKINFO
)) {
1143 tok
= au_to_socket_ex(
1144 ar
->ar_arg_sockinfo
.sai_domain
,
1145 ar
->ar_arg_sockinfo
.sai_type
,
1147 &ar
->ar_arg_sockinfo
.sai_laddr
,
1149 &ar
->ar_arg_sockinfo
.sai_faddr
);
1150 kau_write(rec
, tok
);
1152 if (ARG_IS_VALID(kar
, ARG_FD
)) {
1153 tok
= au_to_arg32(1, "fd",
1155 kau_write(rec
, tok
);
1162 if (ARG_IS_VALID(kar
, ARG_SIGNUM
)) {
1163 tok
= au_to_arg32(2, "signal", ar
->ar_arg_signum
);
1164 kau_write(rec
, tok
);
1166 PROCESS_PID_TOKENS(1);
1171 UPATH1_VNODE1_TOKENS
;
1175 case AUE_MKDIR_EXTENDED
:
1176 case AUE_CHMOD_EXTENDED
:
1177 case AUE_MKFIFO_EXTENDED
:
1179 UPATH1_VNODE1_TOKENS
;
1183 if (ARG_IS_VALID(kar
, ARG_MODE
)) {
1184 tok
= au_to_arg32(2, "mode", ar
->ar_arg_mode
);
1185 kau_write(rec
, tok
);
1187 UPATH1_VNODE1_TOKENS
;
1191 if (ARG_IS_VALID(kar
, ARG_MODE
)) {
1192 tok
= au_to_arg32(2, "mode", ar
->ar_arg_mode
);
1193 kau_write(rec
, tok
);
1195 if (ARG_IS_VALID(kar
, ARG_VALUE32
)) {
1196 tok
= au_to_arg32(3, "dev", ar
->ar_arg_value32
);
1197 kau_write(rec
, tok
);
1199 UPATH1_VNODE1_TOKENS
;
1208 if (ARG_IS_VALID(kar
, ARG_ADDR64
)) {
1209 tok
= au_to_arg64(1, "addr", ar
->ar_arg_addr
);
1210 kau_write(rec
, tok
);
1211 } else if (ARG_IS_VALID(kar
, ARG_ADDR32
)) {
1212 tok
= au_to_arg32(1, "addr",
1213 (u_int32_t
)ar
->ar_arg_addr
);
1214 kau_write(rec
, tok
);
1216 if (ARG_IS_VALID(kar
, ARG_LEN
)) {
1217 tok
= au_to_arg64(2, "len", ar
->ar_arg_len
);
1218 kau_write(rec
, tok
);
1220 if (ar
->ar_event
== AUE_MMAP
)
1222 if (ar
->ar_event
== AUE_MPROTECT
) {
1223 if (ARG_IS_VALID(kar
, ARG_VALUE32
)) {
1224 tok
= au_to_arg32(3, "protection",
1225 ar
->ar_arg_value32
);
1226 kau_write(rec
, tok
);
1229 if (ar
->ar_event
== AUE_MINHERIT
) {
1230 if (ARG_IS_VALID(kar
, ARG_VALUE32
)) {
1231 tok
= au_to_arg32(3, "inherit",
1232 ar
->ar_arg_value32
);
1233 kau_write(rec
, tok
);
1244 /* XXX Need to handle NFS mounts */
1245 if (ARG_IS_VALID(kar
, ARG_FFLAGS
)) {
1246 tok
= au_to_arg32(3, "flags", ar
->ar_arg_fflags
);
1247 kau_write(rec
, tok
);
1249 if (ARG_IS_VALID(kar
, ARG_TEXT
)) {
1250 tok
= au_to_text(ar
->ar_arg_text
);
1251 kau_write(rec
, tok
);
1257 UPATH1_VNODE1_TOKENS
;
1261 ar
->ar_event
= audit_msgctl_to_event(ar
->ar_arg_svipc_cmd
);
1266 tok
= au_to_arg32(1, "msg ID", ar
->ar_arg_svipc_id
);
1267 kau_write(rec
, tok
);
1268 if (ar
->ar_errno
!= EINVAL
) {
1269 tok
= au_to_ipc(AT_IPC_MSG
, ar
->ar_arg_svipc_id
);
1270 kau_write(rec
, tok
);
1275 if (ar
->ar_errno
== 0) {
1276 if (ARG_IS_VALID(kar
, ARG_SVIPC_ID
)) {
1277 tok
= au_to_ipc(AT_IPC_MSG
,
1278 ar
->ar_arg_svipc_id
);
1279 kau_write(rec
, tok
);
1291 if (ARG_IS_VALID(kar
, ARG_FFLAGS
)) {
1292 tok
= au_to_arg32(2, "flags", ar
->ar_arg_fflags
);
1293 kau_write(rec
, tok
);
1295 UPATH1_VNODE1_TOKENS
;
1304 if (ARG_IS_VALID(kar
, ARG_MODE
)) {
1305 tok
= au_to_arg32(3, "mode", ar
->ar_arg_mode
);
1306 kau_write(rec
, tok
);
1308 if (ARG_IS_VALID(kar
, ARG_FFLAGS
)) {
1309 tok
= au_to_arg32(2, "flags", ar
->ar_arg_fflags
);
1310 kau_write(rec
, tok
);
1312 UPATH1_VNODE1_TOKENS
;
1315 case AUE_OPEN_EXTENDED
:
1316 case AUE_OPEN_EXTENDED_R
:
1317 case AUE_OPEN_EXTENDED_RT
:
1318 case AUE_OPEN_EXTENDED_RW
:
1319 case AUE_OPEN_EXTENDED_RWT
:
1320 case AUE_OPEN_EXTENDED_W
:
1321 case AUE_OPEN_EXTENDED_WT
:
1323 if (ARG_IS_VALID(kar
, ARG_FFLAGS
)) {
1324 tok
= au_to_arg32(2, "flags", ar
->ar_arg_fflags
);
1325 kau_write(rec
, tok
);
1327 UPATH1_VNODE1_TOKENS
;
1330 case AUE_OPEN_EXTENDED_RC
:
1331 case AUE_OPEN_EXTENDED_RTC
:
1332 case AUE_OPEN_EXTENDED_RWC
:
1333 case AUE_OPEN_EXTENDED_RWTC
:
1334 case AUE_OPEN_EXTENDED_WC
:
1335 case AUE_OPEN_EXTENDED_WTC
:
1337 if (ARG_IS_VALID(kar
, ARG_FFLAGS
)) {
1338 tok
= au_to_arg32(2, "flags", ar
->ar_arg_fflags
);
1339 kau_write(rec
, tok
);
1341 UPATH1_VNODE1_TOKENS
;
1348 case AUE_OPENAT_RWT
:
1351 if (ARG_IS_VALID(kar
, ARG_FFLAGS
)) {
1352 tok
= au_to_arg32(3, "flags", ar
->ar_arg_fflags
);
1353 kau_write(rec
, tok
);
1355 if (ARG_IS_VALID(kar
, ARG_FD
)) {
1356 tok
= au_to_arg32(1, "dir fd", ar
->ar_arg_fd
);
1357 kau_write(rec
, tok
);
1359 UPATH1_VNODE1_TOKENS
;
1363 case AUE_OPENAT_RTC
:
1364 case AUE_OPENAT_RWC
:
1365 case AUE_OPENAT_RWTC
:
1367 case AUE_OPENAT_WTC
:
1368 if (ARG_IS_VALID(kar
, ARG_MODE
)) {
1369 tok
= au_to_arg32(4, "mode", ar
->ar_arg_mode
);
1370 kau_write(rec
, tok
);
1372 if (ARG_IS_VALID(kar
, ARG_FFLAGS
)) {
1373 tok
= au_to_arg32(3, "flags", ar
->ar_arg_fflags
);
1374 kau_write(rec
, tok
);
1376 if (ARG_IS_VALID(kar
, ARG_FD
)) {
1377 tok
= au_to_arg32(1, "dir fd", ar
->ar_arg_fd
);
1378 kau_write(rec
, tok
);
1380 UPATH1_VNODE1_TOKENS
;
1384 case AUE_OPENBYID_R
:
1385 case AUE_OPENBYID_RT
:
1386 case AUE_OPENBYID_RW
:
1387 case AUE_OPENBYID_RWT
:
1388 case AUE_OPENBYID_W
:
1389 case AUE_OPENBYID_WT
:
1390 if (ARG_IS_VALID(kar
, ARG_FFLAGS
)) {
1391 tok
= au_to_arg32(3, "flags", ar
->ar_arg_fflags
);
1392 kau_write(rec
, tok
);
1394 if (ARG_IS_VALID(kar
, ARG_VALUE32
)) {
1395 tok
= au_to_arg32(1, "volfsid", ar
->ar_arg_value32
);
1396 kau_write(rec
, tok
);
1398 if (ARG_IS_VALID(kar
, ARG_VALUE64
)) {
1399 tok
= au_to_arg64(2, "objid", ar
->ar_arg_value64
);
1400 kau_write(rec
, tok
);
1411 case AUE_READLINKAT
:
1414 case AUE_GETATTRLISTAT
:
1415 if (ARG_IS_VALID(kar
, ARG_FD
)) {
1416 tok
= au_to_arg32(1, "dir fd", ar
->ar_arg_fd
);
1417 kau_write(rec
, tok
);
1419 UPATH1_VNODE1_TOKENS
;
1422 case AUE_CLONEFILEAT
:
1423 if (ARG_IS_VALID(kar
, ARG_FD
)) {
1424 tok
= au_to_arg32(1, "src dir fd", ar
->ar_arg_fd
);
1425 kau_write(rec
, tok
);
1427 UPATH1_VNODE1_TOKENS
;
1428 if (ARG_IS_VALID(kar
, ARG_FD2
)) {
1429 tok
= au_to_arg32(1, "dst dir fd", ar
->ar_arg_fd2
);
1430 kau_write(rec
, tok
);
1433 if (ARG_IS_VALID(kar
, ARG_VALUE32
)) {
1434 tok
= au_to_arg32(1, "flags", ar
->ar_arg_value32
);
1435 kau_write(rec
, tok
);
1439 case AUE_FCLONEFILEAT
:
1441 if (ARG_IS_VALID(kar
, ARG_FD2
)) {
1442 tok
= au_to_arg32(1, "dst dir fd", ar
->ar_arg_fd2
);
1443 kau_write(rec
, tok
);
1446 if (ARG_IS_VALID(kar
, ARG_VALUE32
)) {
1447 tok
= au_to_arg32(1, "flags", ar
->ar_arg_value32
);
1448 kau_write(rec
, tok
);
1453 if (ARG_IS_VALID(kar
, ARG_CMD
)) {
1454 tok
= au_to_arg32(1, "request", ar
->ar_arg_cmd
);
1455 kau_write(rec
, tok
);
1457 if (ARG_IS_VALID(kar
, ARG_ADDR64
)) {
1458 tok
= au_to_arg64(3, "addr", ar
->ar_arg_addr
);
1459 kau_write(rec
, tok
);
1460 } else if (ARG_IS_VALID(kar
, ARG_ADDR32
)) {
1461 tok
= au_to_arg32(3, "addr",
1462 (u_int32_t
)ar
->ar_arg_addr
);
1463 kau_write(rec
, tok
);
1465 if (ARG_IS_VALID(kar
, ARG_VALUE32
)) {
1466 tok
= au_to_arg32(4, "data", ar
->ar_arg_value32
);
1467 kau_write(rec
, tok
);
1469 PROCESS_PID_TOKENS(2);
1473 if (ARG_IS_VALID(kar
, ARG_CMD
)) {
1474 tok
= au_to_arg32(2, "command", ar
->ar_arg_cmd
);
1475 kau_write(rec
, tok
);
1477 if (ARG_IS_VALID(kar
, ARG_UID
)) {
1478 tok
= au_to_arg32(3, "uid", ar
->ar_arg_uid
);
1479 kau_write(rec
, tok
);
1481 UPATH1_VNODE1_TOKENS
;
1485 if (ARG_IS_VALID(kar
, ARG_CMD
)) {
1486 tok
= au_to_arg32(1, "howto", ar
->ar_arg_cmd
);
1487 kau_write(rec
, tok
);
1492 ar
->ar_event
= audit_semctl_to_event(ar
->ar_arg_svipc_cmd
);
1496 if (ARG_IS_VALID(kar
, ARG_SVIPC_ID
)) {
1497 tok
= au_to_arg32(1, "sem ID", ar
->ar_arg_svipc_id
);
1498 kau_write(rec
, tok
);
1499 if (ar
->ar_errno
!= EINVAL
) {
1500 tok
= au_to_ipc(AT_IPC_SEM
,
1501 ar
->ar_arg_svipc_id
);
1502 kau_write(rec
, tok
);
1508 if (ar
->ar_errno
== 0) {
1509 if (ARG_IS_VALID(kar
, ARG_SVIPC_ID
)) {
1510 tok
= au_to_ipc(AT_IPC_SEM
,
1511 ar
->ar_arg_svipc_id
);
1512 kau_write(rec
, tok
);
1518 if (ARG_IS_VALID(kar
, ARG_EGID
)) {
1519 tok
= au_to_arg32(1, "gid", ar
->ar_arg_egid
);
1520 kau_write(rec
, tok
);
1525 if (ARG_IS_VALID(kar
, ARG_EUID
)) {
1526 tok
= au_to_arg32(1, "uid", ar
->ar_arg_euid
);
1527 kau_write(rec
, tok
);
1532 if (ARG_IS_VALID(kar
, ARG_RGID
)) {
1533 tok
= au_to_arg32(1, "rgid", ar
->ar_arg_rgid
);
1534 kau_write(rec
, tok
);
1536 if (ARG_IS_VALID(kar
, ARG_EGID
)) {
1537 tok
= au_to_arg32(2, "egid", ar
->ar_arg_egid
);
1538 kau_write(rec
, tok
);
1543 if (ARG_IS_VALID(kar
, ARG_RUID
)) {
1544 tok
= au_to_arg32(1, "ruid", ar
->ar_arg_ruid
);
1545 kau_write(rec
, tok
);
1547 if (ARG_IS_VALID(kar
, ARG_EUID
)) {
1548 tok
= au_to_arg32(2, "euid", ar
->ar_arg_euid
);
1549 kau_write(rec
, tok
);
1554 if (ARG_IS_VALID(kar
, ARG_GID
)) {
1555 tok
= au_to_arg32(1, "gid", ar
->ar_arg_gid
);
1556 kau_write(rec
, tok
);
1561 if (ARG_IS_VALID(kar
, ARG_UID
)) {
1562 tok
= au_to_arg32(1, "uid", ar
->ar_arg_uid
);
1563 kau_write(rec
, tok
);
1568 if (ARG_IS_VALID(kar
, ARG_GROUPSET
)) {
1569 for (uctr
= 0; uctr
< ar
->ar_arg_groups
.gidset_size
;
1571 tok
= au_to_arg32(1, "setgroups",
1572 ar
->ar_arg_groups
.gidset
[uctr
]);
1573 kau_write(rec
, tok
);
1579 if (ARG_IS_VALID(kar
, ARG_TEXT
)) {
1580 tok
= au_to_text(ar
->ar_arg_text
);
1581 kau_write(rec
, tok
);
1585 case AUE_SETPRIORITY
:
1586 if (ARG_IS_VALID(kar
, ARG_CMD
)) {
1587 tok
= au_to_arg32(1, "which", ar
->ar_arg_cmd
);
1588 kau_write(rec
, tok
);
1590 if (ARG_IS_VALID(kar
, ARG_UID
)) {
1591 tok
= au_to_arg32(2, "who", ar
->ar_arg_uid
);
1592 kau_write(rec
, tok
);
1594 if (ARG_IS_VALID(kar
, ARG_VALUE32
)) {
1595 tok
= au_to_arg32(2, "priority", ar
->ar_arg_value32
);
1596 kau_write(rec
, tok
);
1600 case AUE_SETPRIVEXEC
:
1601 if (ARG_IS_VALID(kar
, ARG_VALUE32
)) {
1602 tok
= au_to_arg32(1, "flag", ar
->ar_arg_value32
);
1603 kau_write(rec
, tok
);
1607 /* AUE_SHMAT, AUE_SHMCTL, AUE_SHMDT and AUE_SHMGET are SysV IPC */
1609 if (ARG_IS_VALID(kar
, ARG_SVIPC_ID
)) {
1610 tok
= au_to_arg32(1, "shmid", ar
->ar_arg_svipc_id
);
1611 kau_write(rec
, tok
);
1612 /* XXXAUDIT: Does having the ipc token make sense? */
1613 tok
= au_to_ipc(AT_IPC_SHM
, ar
->ar_arg_svipc_id
);
1614 kau_write(rec
, tok
);
1616 if (ARG_IS_VALID(kar
, ARG_SVIPC_ADDR
)) {
1617 tok
= au_to_arg64(2, "shmaddr", ar
->ar_arg_svipc_addr
);
1618 kau_write(rec
, tok
);
1620 if (ARG_IS_VALID(kar
, ARG_SVIPC_PERM
)) {
1621 tok
= au_to_ipc_perm(&ar
->ar_arg_svipc_perm
);
1622 kau_write(rec
, tok
);
1627 if (ARG_IS_VALID(kar
, ARG_SVIPC_ID
)) {
1628 tok
= au_to_arg32(1, "shmid", ar
->ar_arg_svipc_id
);
1629 kau_write(rec
, tok
);
1630 /* XXXAUDIT: Does having the ipc token make sense? */
1631 tok
= au_to_ipc(AT_IPC_SHM
, ar
->ar_arg_svipc_id
);
1632 kau_write(rec
, tok
);
1634 switch (ar
->ar_arg_svipc_cmd
) {
1636 ar
->ar_event
= AUE_SHMCTL_STAT
;
1639 ar
->ar_event
= AUE_SHMCTL_RMID
;
1642 ar
->ar_event
= AUE_SHMCTL_SET
;
1643 if (ARG_IS_VALID(kar
, ARG_SVIPC_PERM
)) {
1644 tok
= au_to_ipc_perm(&ar
->ar_arg_svipc_perm
);
1645 kau_write(rec
, tok
);
1649 break; /* We will audit a bad command */
1654 if (ARG_IS_VALID(kar
, ARG_SVIPC_ADDR
)) {
1655 tok
= au_to_arg64(1, "shmaddr",
1656 (int)(uintptr_t)ar
->ar_arg_svipc_addr
);
1657 kau_write(rec
, tok
);
1662 /* This is unusual; the return value is in an argument token */
1663 if (ARG_IS_VALID(kar
, ARG_SVIPC_ID
)) {
1664 tok
= au_to_arg32(0, "shmid", ar
->ar_arg_svipc_id
);
1665 kau_write(rec
, tok
);
1666 tok
= au_to_ipc(AT_IPC_SHM
, ar
->ar_arg_svipc_id
);
1667 kau_write(rec
, tok
);
1669 if (ARG_IS_VALID(kar
, ARG_SVIPC_PERM
)) {
1670 tok
= au_to_ipc_perm(&ar
->ar_arg_svipc_perm
);
1671 kau_write(rec
, tok
);
1675 /* AUE_SHMOPEN, AUE_SHMUNLINK, AUE_SEMOPEN, AUE_SEMCLOSE
1676 * and AUE_SEMUNLINK are Posix IPC */
1678 if (ARG_IS_VALID(kar
, ARG_SVIPC_ADDR
)) {
1679 tok
= au_to_arg32(2, "flags", ar
->ar_arg_fflags
);
1680 kau_write(rec
, tok
);
1682 if (ARG_IS_VALID(kar
, ARG_MODE
)) {
1683 tok
= au_to_arg32(3, "mode", ar
->ar_arg_mode
);
1684 kau_write(rec
, tok
);
1689 if (ARG_IS_VALID(kar
, ARG_TEXT
)) {
1690 tok
= au_to_text(ar
->ar_arg_text
);
1691 kau_write(rec
, tok
);
1693 if (ARG_IS_VALID(kar
, ARG_POSIX_IPC_PERM
)) {
1694 struct ipc_perm perm
;
1696 perm
.uid
= ar
->ar_arg_pipc_perm
.pipc_uid
;
1697 perm
.gid
= ar
->ar_arg_pipc_perm
.pipc_gid
;
1698 perm
.cuid
= ar
->ar_arg_pipc_perm
.pipc_uid
;
1699 perm
.cgid
= ar
->ar_arg_pipc_perm
.pipc_gid
;
1700 perm
.mode
= ar
->ar_arg_pipc_perm
.pipc_mode
;
1703 tok
= au_to_ipc_perm(&perm
);
1704 kau_write(rec
, tok
);
1709 if (ARG_IS_VALID(kar
, ARG_FFLAGS
)) {
1710 tok
= au_to_arg32(2, "flags", ar
->ar_arg_fflags
);
1711 kau_write(rec
, tok
);
1713 if (ARG_IS_VALID(kar
, ARG_MODE
)) {
1714 tok
= au_to_arg32(3, "mode", ar
->ar_arg_mode
);
1715 kau_write(rec
, tok
);
1717 if (ARG_IS_VALID(kar
, ARG_VALUE32
)) {
1718 tok
= au_to_arg32(4, "value", ar
->ar_arg_value32
);
1719 kau_write(rec
, tok
);
1724 if (ARG_IS_VALID(kar
, ARG_TEXT
)) {
1725 tok
= au_to_text(ar
->ar_arg_text
);
1726 kau_write(rec
, tok
);
1728 if (ARG_IS_VALID(kar
, ARG_POSIX_IPC_PERM
)) {
1729 struct ipc_perm perm
;
1731 perm
.uid
= ar
->ar_arg_pipc_perm
.pipc_uid
;
1732 perm
.gid
= ar
->ar_arg_pipc_perm
.pipc_gid
;
1733 perm
.cuid
= ar
->ar_arg_pipc_perm
.pipc_uid
;
1734 perm
.cgid
= ar
->ar_arg_pipc_perm
.pipc_gid
;
1735 perm
.mode
= ar
->ar_arg_pipc_perm
.pipc_mode
;
1738 tok
= au_to_ipc_perm(&perm
);
1739 kau_write(rec
, tok
);
1744 if (ARG_IS_VALID(kar
, ARG_FD
)) {
1745 tok
= au_to_arg32(1, "sem", ar
->ar_arg_fd
);
1746 kau_write(rec
, tok
);
1751 if (ARG_IS_VALID(kar
, ARG_TEXT
)) {
1752 tok
= au_to_text(ar
->ar_arg_text
);
1753 kau_write(rec
, tok
);
1755 UPATH1_VNODE1_TOKENS
;
1759 case AUE_SYSCTL_NONADMIN
:
1760 if (ARG_IS_VALID(kar
, ARG_CTLNAME
| ARG_LEN
)) {
1761 for (ctr
= 0; ctr
< (int)ar
->ar_arg_len
; ctr
++) {
1762 tok
= au_to_arg32(1, "name",
1763 ar
->ar_arg_ctlname
[ctr
]);
1764 kau_write(rec
, tok
);
1767 if (ARG_IS_VALID(kar
, ARG_VALUE32
)) {
1768 tok
= au_to_arg32(5, "newval", ar
->ar_arg_value32
);
1769 kau_write(rec
, tok
);
1771 if (ARG_IS_VALID(kar
, ARG_TEXT
)) {
1772 tok
= au_to_text(ar
->ar_arg_text
);
1773 kau_write(rec
, tok
);
1777 case AUE_UMASK_EXTENDED
:
1779 if (ARG_IS_VALID(kar
, ARG_OPAQUE
)) {
1780 tok
= au_to_opaque(ar
->ar_arg_opaque
,
1781 ar
->ar_arg_opq_size
);
1782 kau_write(rec
, tok
);
1787 if (ARG_IS_VALID(kar
, ARG_MASK
)) {
1788 tok
= au_to_arg32(1, "new mask", ar
->ar_arg_mask
);
1789 kau_write(rec
, tok
);
1791 tok
= au_to_arg32(0, "prev mask", ar
->ar_retval
);
1792 kau_write(rec
, tok
);
1796 #if 0 /* XXXss - new */
1799 if (ARG_IS_VALID(kar
, ARG_PID
)) {
1800 tok
= au_to_arg32(0, "pid", ar
->ar_arg_pid
);
1801 kau_write(rec
, tok
);
1806 if (ARG_IS_VALID(kar
, ARG_VALUE32
)) {
1807 tok
= au_to_arg32(3, "volfsid", ar
->ar_arg_value32
);
1808 kau_write(rec
, tok
);
1810 if (ARG_IS_VALID(kar
, ARG_VALUE64
)) {
1811 tok
= au_to_arg64(4, "objid", ar
->ar_arg_value64
);
1812 kau_write(rec
, tok
);
1814 if (ARG_IS_VALID(kar
, ARG_TEXT
)) {
1815 tok
= au_to_text(ar
->ar_arg_text
);
1816 kau_write(rec
, tok
);
1820 case AUE_SESSION_START
:
1821 case AUE_SESSION_UPDATE
:
1822 case AUE_SESSION_END
:
1823 case AUE_SESSION_CLOSE
:
1824 if (ARG_IS_VALID(kar
, ARG_VALUE64
)) {
1825 tok
= au_to_arg64(1, "sflags", ar
->ar_arg_value64
);
1826 kau_write(rec
, tok
);
1828 if (ARG_IS_VALID(kar
, ARG_AMASK
)) {
1829 tok
= au_to_arg32(2, "am_success",
1830 ar
->ar_arg_amask
.am_success
);
1831 kau_write(rec
, tok
);
1832 tok
= au_to_arg32(3, "am_failure",
1833 ar
->ar_arg_amask
.am_failure
);
1834 kau_write(rec
, tok
);
1838 /************************
1839 * Mach system calls *
1840 ************************/
1841 case AUE_INITPROCESS
:
1844 case AUE_PIDFORTASK
:
1845 if (ARG_IS_VALID(kar
, ARG_MACHPORT1
)) {
1846 tok
= au_to_arg32(1, "port",
1847 (u_int32_t
)ar
->ar_arg_mach_port1
);
1848 kau_write(rec
, tok
);
1850 if (ARG_IS_VALID(kar
, ARG_PID
)) {
1851 tok
= au_to_arg32(2, "pid", (u_int32_t
)ar
->ar_arg_pid
);
1852 kau_write(rec
, tok
);
1856 case AUE_TASKFORPID
:
1857 case AUE_TASKNAMEFORPID
:
1858 if (ARG_IS_VALID(kar
, ARG_MACHPORT1
)) {
1859 tok
= au_to_arg32(1, "target port",
1860 (u_int32_t
)ar
->ar_arg_mach_port1
);
1861 kau_write(rec
, tok
);
1863 if (ARG_IS_VALID(kar
, ARG_MACHPORT2
)) {
1864 tok
= au_to_arg32(3, "task port",
1865 (u_int32_t
)ar
->ar_arg_mach_port2
);
1866 kau_write(rec
, tok
);
1868 PROCESS_PID_TOKENS(2);
1872 if (ARG_IS_VALID(kar
, ARG_VALUE32
)) {
1873 tok
= au_to_arg32(4, "priority",
1874 (u_int32_t
)ar
->ar_arg_value32
);
1875 kau_write(rec
, tok
);
1877 UPATH1_VNODE1_TOKENS
;
1881 UPATH1_VNODE1_TOKENS
;
1885 if (ARG_IS_VALID(kar
, ARG_ADDR64
)) {
1886 tok
= au_to_arg64(3, "va", ar
->ar_arg_addr
);
1887 kau_write(rec
, tok
);
1888 } else if (ARG_IS_VALID(kar
, ARG_ADDR32
)) {
1889 tok
= au_to_arg32(3, "va",
1890 (u_int32_t
)ar
->ar_arg_addr
);
1891 kau_write(rec
, tok
);
1897 case AUE_MAC_GET_FILE
:
1898 case AUE_MAC_SET_FILE
:
1899 case AUE_MAC_GET_LINK
:
1900 case AUE_MAC_SET_LINK
:
1901 case AUE_MAC_GET_MOUNT
:
1902 UPATH1_VNODE1_TOKENS
;
1906 case AUE_MAC_GET_FD
:
1907 case AUE_MAC_SET_FD
:
1912 case AUE_MAC_SYSCALL
:
1914 if (ARG_IS_VALID(kar
, ARG_VALUE32
)) {
1915 tok
= au_to_arg32(3, "call", ar
->ar_arg_value32
);
1916 kau_write(rec
, tok
);
1920 case AUE_MAC_EXECVE
:
1921 UPATH1_VNODE1_TOKENS
;
1925 case AUE_MAC_GET_PID
:
1926 if (ARG_IS_VALID(kar
, ARG_PID
)) {
1927 tok
= au_to_arg32(1, "pid", (u_int32_t
)ar
->ar_arg_pid
);
1928 kau_write(rec
, tok
);
1933 case AUE_MAC_GET_LCID
:
1934 if (ARG_IS_VALID(kar
, ARG_VALUE32
)) {
1935 tok
= au_to_arg32(1, "lcid",
1936 (u_int32_t
)ar
->ar_arg_value32
);
1937 kau_write(rec
, tok
);
1942 case AUE_MAC_GET_PROC
:
1943 case AUE_MAC_SET_PROC
:
1950 printf("BSM conversion requested for unknown event %d\n",
1955 * Write the subject token so it is properly freed here.
1957 kau_write(rec
, subj_tok
);
1959 return (BSM_NOAUDIT
);
1963 if (NULL
!= ar
->ar_mac_records
) {
1964 /* Convert the audit data from the MAC policies */
1965 struct mac_audit_record
*mar
;
1967 LIST_FOREACH(mar
, ar
->ar_mac_records
, records
) {
1968 switch (mar
->type
) {
1969 case MAC_AUDIT_DATA_TYPE
:
1970 tok
= au_to_data(AUP_BINARY
, AUR_BYTE
,
1972 (const char *)mar
->data
);
1974 case MAC_AUDIT_TEXT_TYPE
:
1975 tok
= au_to_text((char*) mar
->data
);
1979 * XXX: we can either continue,
1980 * skipping this particular entry,
1981 * or we can pre-verify the list and
1982 * abort before writing any records
1984 printf("kaudit_to_bsm(): "
1985 "BSM conversion requested for"
1986 "unknown mac_audit data type %d\n",
1990 kau_write(rec
, tok
);
1995 kau_write(rec
, subj_tok
);
1998 if (ar
->ar_cred_mac_labels
!= NULL
&&
1999 strlen(ar
->ar_cred_mac_labels
) != 0) {
2000 tok
= au_to_text(ar
->ar_cred_mac_labels
);
2001 kau_write(rec
, tok
);
2005 tok
= au_to_return32(au_errno_to_bsm(ar
->ar_errno
), ar
->ar_retval
);
2006 kau_write(rec
, tok
); /* Every record gets a return token */
2008 kau_close(rec
, &ar
->ar_endtime
, ar
->ar_event
);
2011 return (BSM_SUCCESS
);
2015 * Verify that a record is a valid BSM record. This verification is simple
2016 * now, but may be expanded on sometime in the future. Return 1 if the
2017 * record is good, 0 otherwise.
2020 bsm_rec_verify(void *rec
)
2022 char c
= *(char *)rec
;
2025 * Check the token ID of the first token; it has to be a header
2028 * XXXAUDIT There needs to be a token structure to map a token.
2029 * XXXAUDIT 'Shouldn't be simply looking at the first char.
2031 if ((c
!= AUT_HEADER32
) && (c
!= AUT_HEADER32_EX
) &&
2032 (c
!= AUT_HEADER64
) && (c
!= AUT_HEADER64_EX
))
2036 #endif /* CONFIG_AUDIT */